Detecting BGP Configuration Faults with Static Analysis

The Internet is composed of many independent autonomous systems (ASes)
that exchange reachability information to destinations using the Border
Gateway Protocol (BGP). Network operators in each AS configure BGP
routers to control the routes that are learned, selected, and
announced to other routers. Faults in BGP configuration can cause forwarding
loops, packet loss, and unintended paths between hosts, each of which
constitutes a failure of the Internet routing infrastructure.

This paper describes the design and implementation of rcc,
the router configuration checker, a tool that finds faults in BGP
configurations using static analysis. rcc detects faults by checking constraints that are based on
a high-level correctness specification. rcc detects
two broad classes of faults:
route validity faults, where routers may learn routes that do
not correspond to usable paths, and path visibility faults,
where routers may fail to learn routes for paths that exist in the
network. rcc enables network operators to test and debug
configurations before deploying them in an operational network,
improving on the status quo where most faults are detected only during
operation. rcc has been downloaded by more than sixty-five network
operators to date, some of whom have shared their configurations with
us. We analyze network-wide configurations from 17 different ASes to
detect a wide variety of faults and use these findings to motivate
improvements to the Internet routing infrastructure.